From dd0edc24c26cbc943dfd6ff7a67185e8d941599d Mon Sep 17 00:00:00 2001
From: Stefan Guilhen <sguilhen@redhat.com>
Date: Wed, 4 Feb 2026 12:17:32 -0300
Subject: [PATCH] Decode objectGUID when it is imported as a group attribute

Closes #45917

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
---
 .../storage/ldap/idm/store/ldap/LDAPIdentityStore.java | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/store/ldap/LDAPIdentityStore.java b/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/store/ldap/LDAPIdentityStore.java
index a38e9b02ff0..1cf91ea00cd 100644
--- a/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/store/ldap/LDAPIdentityStore.java
+++ b/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/store/ldap/LDAPIdentityStore.java
@@ -483,8 +483,14 @@ public class LDAPIdentityStore implements IdentityStore {
                         Object val = enumm.next();
 
                         if (val instanceof byte[]) { // byte[]
-                            String attrVal = Base64.getEncoder().encodeToString((byte[]) val);
-                            attrValues.add(attrVal);
+                            if (ldapAttributeName.equalsIgnoreCase(getConfig().getUuidLDAPAttributeName())) {
+                                // UUID was fetched as a binary attribute, we decode it here - this is the path that's used for objectGUID in Active Directory
+                                String attrVal = this.operationManager.decodeEntryUUID(val);
+                                attrValues.add(attrVal);
+                            } else {
+                                String attrVal = Base64.getEncoder().encodeToString((byte[]) val);
+                                attrValues.add(attrVal);
+                            }
                         } else { // String
                             String attrVal = val.toString().trim();
                             attrValues.add(attrVal);